Short term or one-time-use X.509 digital certificates

ABSTRACT

A method includes receiving a request from a certificate user to utilize a short-term private key-public key pair. The short-term private key-public key pair includes a short-term private key and a public key. The short-term private key may expire after a period less than a year in length. The method further includes generating, using a processor, the short-term private key and generating, using the processor, the public key. The method further includes requesting a public key certificate from a Certificate Authority (CA). The method also includes receiving the public key certificate from the CA and pairing the short-term private key with the public key certificate. The public key certificate may include the public key that corresponds to the short-term private key. The method further includes storing the short-term private key-public key pair to a storage.

BACKGROUND

The disclosure relates generally to X.509 digital certificates, and morespecifically to short-term or one-time-use X.509 digital certificates.

SUMMARY

According to one embodiment of the disclosure, a method includesreceiving a request from a certificate user to utilize a short-termprivate key-public key pair. The short-term private key-public key pairincludes a short-term private key and a public key. The short-termprivate key may expire after a period less than a year in length. Themethod further includes generating, using a processor, the short-termprivate key and generating, using the processor, the public key. Thepublic key may correspond to the short-term private key. The methodfurther includes requesting a public key certificate from a CertificateAuthority (CA). The request for the public key certificate may includethe public key. The method also includes receiving the public keycertificate from the CA and pairing the short-term private key with thepublic key certificate. The public key certificate may include thepublic key that corresponds to the short-term private key. The methodfurther includes storing the short-term private key-public key pair to astorage.

According to another embodiment of the disclosure, a method includesreceiving, from a certificate requestor: a request for a public keycertificate and a list of a plurality of distribution addresses. Therequest may include a public key for the certificate requestor. Theplurality of distribution addresses may belong to a plurality of thirdparties. The method further includes verifying an identity of thecertificate requestor, and, in response to verifying the identity of thecertificate requestor, retrieving a public key from the request for thepublic key certificate. The method may also include, in response toverifying the identity of the certificate requestor, generating thepublic key certificate and signing the public key certificate. Thepublic key certificate may include the public key. The method may alsoinclude transmitting the signed public key certificate to thecertificate requestor and the plurality of distribution addresses.

According to another embodiment of the disclosure, a method includesgenerating, using a processor, a private key-public key pair. Theprivate key-public key pair may include a private key and a public key.The method also includes generating a request for a public keycertificate. The request may include the public key. The method furtherincludes sending the request for the public key certificate to aCertificate Authority (CA) and receiving the public key certificate fromthe CA. The public key certificate may be signed by the CA. The methodalso includes using the public key certificate received from the CA andtransmitting the public key certificate received from the CA to aplurality of distribution addresses. The plurality of distributionaddresses belong to a plurality of third parties.

According to another embodiment of the disclosure, a method includes,for respective queues of a plurality of queues stored in a storage:generating, using a processor, a private key-public key pair; andstoring the private key-public key pair to a back of the queue. Theprivate key-public key pair may include a private key and a public key.The method also includes receiving a request from a certificate user toutilize a private key-public key pair. The method further includesretrieving a first private key-public key pair from a front of a firstqueue of the plurality of queues. The method also includes using thefirst private key-public key pair and generating a new privatekey-public key pair to replace the first private key-public key pair.The method also includes storing the new private key-public key pair toa back of the first queue.

Other features and advantages of the present disclosure are apparent topersons of ordinary skill in the art in view of the following detaileddescription of the disclosure and the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the configurations of the presentdisclosure, needs satisfied thereby, and the features and advantagesthereof, reference now is made to the following description taken inconnection with the accompanying drawings.

FIG. 1 illustrates a block diagram of a system for generating andstoring short-term or one-time-use X.509 digital certificates inaccordance with a non-limiting embodiment of the present disclosure.

FIG. 2 illustrates a real-world implementation of a system forgenerating and storing short-term or one-time-use X.509 digitalcertificates in a closed corporate deployment environment in accordancewith a non-limiting embodiment of the present disclosure.

FIG. 3 illustrates a real-world implementation of a system forgenerating and storing short-term or one-time-use X.509 digitalcertificates in a corporate Bring-Your-Own-Device (BYOD) environment inaccordance with a non-limiting embodiment of the present disclosure.

FIG. 4 illustrates a real-world implementation of a system forgenerating and storing short-term or one-time-use X.509 digitalcertificates in a home Internet-of-Things (IoT) environment inaccordance with a non-limiting embodiment of the present disclosure.

FIG. 5 illustrates a flow chart of a method for generating and storingshort-term X.509 digital certificates in accordance with a non-limitingembodiment of the present disclosure.

FIG. 6 illustrates a flow chart of a method for using short-term X.509digital certificates in accordance with a non-limiting embodiment of thepresent disclosure.

FIG. 7 illustrates a system for requesting and using short-term X.509digital certificates in accordance with a non-limiting embodiment of thepresent disclosure.

FIG. 8 illustrates a system and a method for requesting and usingshort-term X.509 digital certificates in accordance with a non-limitingembodiment of the present disclosure.

FIG. 9 illustrates a flow chart of a method for synchronized X.509digital certificate deployment in accordance with a non-limitingembodiment of the present disclosure.

FIG. 10 illustrates a system for storing X.509 digital certificates in aqueueing environment in accordance with a non-limiting embodiment of thepresent disclosure.

FIG. 11 illustrates a real-world implementation of the queueingenvironment for storing X.509 digital certificates in accordance with anon-limiting embodiment of the present disclosure.

FIG. 12 illustrates a flow chart of a method for storing X.509 digitalcertificates in a queueing environment in accordance with a non-limitingembodiment of the present disclosure.

FIG. 13 illustrates a flow chart of a method for synchronized X.509digital certificate deployment in accordance with a non-limitingembodiment of the present disclosure.

DETAILED DESCRIPTION

As will be appreciated by one skilled in the art, aspects of the presentdisclosure may be illustrated and described herein in any of a number ofpatentable classes or context including any new and useful process,machine, manufacture, or composition of matter, or any new and usefulimprovement thereof. Accordingly, aspects of the present disclosure maybe implemented entirely in hardware, entirely in software (includingfirmware, resident software, micro-code, etc.) or combining software andhardware implementation that may all generally be referred to herein asa “circuit,” “module,” “component,” or “system.” Furthermore, aspects ofthe present disclosure may take the form of a computer program productembodied in one or more computer readable media having computer readableprogram code embodied thereon.

Any combination of one or more computer readable media may be utilized.The computer readable media may be a computer readable signal medium ora computer readable storage medium. A computer readable storage mediummay be, for example, but not limited to, an electronic, magnetic,optical, electromagnetic, or semiconductor system, apparatus, or device,or any suitable combination of the foregoing. More specific examples (anon-exhaustive list) of the computer readable storage medium wouldinclude the following: a portable computer diskette, a hard disk, arandom access memory (RAM), a read-only memory (ROM), an erasableprogrammable read-only memory (EPROM or Flash memory), an appropriateoptical fiber with a repeater, a portable compact disc read-only memory(CD-ROM), an optical storage device, a magnetic storage device, or anysuitable combination of the foregoing. In the context of this document,a computer readable storage medium may be any tangible medium that cancontain, or store a program for use by or in connection with aninstruction execution system, apparatus, or device.

A computer readable signal medium may include a propagated data signalwith computer readable program code embodied therein, for example, inbaseband or as part of a carrier wave. Such a propagated signal may takeany of a variety of forms, including, but not limited to,electro-magnetic, optical, or any suitable combination thereof. Acomputer readable signal medium may be any computer readable medium thatis not a computer readable storage medium and that can communicate,propagate, or transport a program for use by or in connection with aninstruction execution system, apparatus, or device. Program codeembodied on a computer readable signal medium may be transmitted usingany appropriate medium, including but not limited to wireless, wireline,optical fiber cable, RF, etc., or any suitable combination of theforegoing.

Computer program code for carrying out operations for aspects of thepresent disclosure may be written in any combination of one or moreprogramming languages, including an object oriented programminglanguage, such as JAVA®, SCALA®, SMALLTALK®, EIFFEL®, JADE®, EMERALD®,C++, C#, VB.NET, PYTHON® or the like, conventional proceduralprogramming languages, such as the “C” programming language, VISUALBASIC®, FORTRAN® 2003, Perl, COBOL 2002, PHP, ABAP®, dynamic programminglanguages such as PYTHON®, RUBY® and Groovy, or other programminglanguages. The program code may execute entirely on the user's computer,partly on the user's computer, as a stand-alone software package, partlyon the user's computer and partly on a remote computer or entirely onthe remote computer or server. In the latter scenario, the remotecomputer may be connected to the user's computer through any type ofnetwork, including a local area network (LAN) or a wide area network(WAN), or the connection may be made to an external computer (forexample, through the Internet using an Internet Service Provider) or ina cloud computing environment or offered as a service such as a Softwareas a Service (SaaS).

Aspects of the present disclosure are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatuses(systems) and computer program products according to aspects of thedisclosure. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer program instructions. These computer program instructions maybe provided to a processor of a general purpose computer, specialpurpose computer, or other programmable data processing apparatus toproduce a machine, such that the instructions, which execute via theprocessor of the computer or other programmable instruction executionapparatus, create a mechanism for implementing the functions/actsspecified in the flowchart and/or block diagram block or blocks.

These computer program instructions may also be stored in a computerreadable medium that when executed can direct a computer, otherprogrammable data processing apparatus, or other devices to function ina particular manner, such that the instructions when stored in thecomputer readable medium produce an article of manufacture includinginstructions which when executed, cause a computer to implement thefunction/act specified in the flowchart and/or block diagram block orblocks. The computer program instructions may also be loaded onto acomputer, other programmable instruction execution apparatus, or otherdevices to cause a series of operational steps to be performed on thecomputer, other programmable apparatuses or other devices to produce acomputer implemented process such that the instructions which execute onthe computer or other programmable apparatus provide processes forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks.

Public key cryptography enables users to securely communicate overinsecure public networks. In the typical public key infrastructure (PKI)arrangement, a public key is sent to a trusted third party (TTP) knownas a certificate authority (CA), who issues and signs an X.509 digitalcertificate. X.509 is a standard that specifies the format for publickey certificates, among other aspects of a PKI system. The X.509standard is described in RFC 2459, published in 1999, and the morecurrent version is described in RFC 5280, published in 2008. Acertificate user can use the X.509 digital certificate to verify thesender's identity, to encrypt data, to sign data, or other uses.

A standard X.509 certificate contains a public key that corresponds tothe certificate user's private key. The certificate user uses her ownprivate key to sign or encrypt data and distributes her public key toexternal users to use to decrypt or authenticate data sent by thecertificate user. Private key-public key pairs traditionally lastbetween one and five years before they expire. Because an outsider'saccess to a sender's private key would unravel the entire securitybenefit of PKI systems, these private keys must be highly guarded. Butan inherent risk remains—even if the private key is highly guarded—thatthe private key will be stolen. Once a private key is stolen, anotherentity may pretend to be someone he is not. In a traditional system,once a private key is discovered missing or stolen, the private keyowner must tell the CA, who can invalidate the private key-public keypair.

Certain embodiments of the present disclosure provide digitalcertificates that increase the security of the PKI system by reducingthe likelihood that the private key will be stolen. Short-term orone-time-use private keys may be used that need not be stored for theextended period of time (e.g., 1 to 5 years) that a traditionalcertificate may be kept. Certain embodiments of the present disclosurealso provide a PKI system that enables public key certificatescorresponding to private keys to be easily and efficiently distributedto third parties, as well as a queueing storage solution that increasesspeed and efficiency of retrieving and distributing private key-publickey pairs, especially if those key pairs need be distributed often.

With reference to FIG. 1, a system 100 for generating and storingshort-term or one-time-use X.509 digital certificates is illustrated inaccordance with a non-limiting embodiment of the present disclosure.System 100 includes a container 10, which may be for example a webserver. System 100 also includes a hard disk 11, processor 13, storage14, interface 15, and input/output (I/O) 17. Processor 13 loadsinstructions from hard disk 11 and executes them in storage 14. Storage14 may include temporary or permanent storage or memory, for examplerandom access memory (RAM), a hard disk drive (HDD), a solid state drive(SDD), network attached storage (NAS), a USB thumb drive or flash drive,an optical drive such as a compact disc (CD) or digital video disc(DVD), cloud storage, or any other type of storage. Storage 14 may holdone or more short-term private key-public key pairs, for example keypair 141 and key pair 142. System 100 may also comprise certificaterequestor 12 (for example, a web browser), which requests 22 acertificate from Certificate Authority (CA) 20. CA 20 may return signedpublic key infrastructure (PKI) certificate 24, which may also be knownas a public key certificate, to certificate requestor 12. System 100 mayalso include certificate distributor 16, which may distribute signed PKIcertificates, for example signed PKI certificate 24, to a certificateuser, for example certificate user 42. Certificate distributor 16 maydistribute a second signed PKI certificate to certificate user 44, and athird signed PKI certificate to certificate user 46. A user, for exampleuser 52, user 54, or user 56, may be for example a system administratoror a general member of the public attempting to gain access to aparticular website. The user may access a system that needs to use acertificate, for example user 52 may access certificate user. Thecomponents of system 100, including certificate authority 20, server 10,and certificate users 42, 44, and 46 are all connected via network 30.

With reference to FIG. 2, a real-world implementation of a system 200for generating and storing short-term or one-time-use X.509 digitalcertificates in a closed corporate deployment environment is illustratedin accordance with a non-limiting embodiment of the present disclosure.System 200 may be a closed corporate deployment environment, which mayhave a closed network. System 200 may include a central server 270,which may have a certificate requestor that requests public keycertificates 271 from the certificate authority and a certificatedistributor that distributes public key certificates 271 to thecertificate users. System 200 may have one or more certificate users,for example server 210, server 220, computer 230, multiple servers 262,264, or 264, or multiple servers 242, 244, or 246. Computer 230 may be alaptop computer or a desktop computer. Server 270 may just distributepublic key certificate 271 to a certificate user, or server 270 may usepublic key certificate 271 to encrypt data sent over the closedcorporate network. Server 270 may distribute public key certificate 211to certificate user server 210, public key certificate 221 tocertificate user server 220, public key certificate 231 to certificateuser computer 230, public key certificates 241 to certificate userservers 242, 244, and 246, public key certificate 261 to certificateuser servers 262, 264, or 266.

With reference to FIG. 3, a real-world implementation of a system 300for generating and storing short-term or one-time-use X.509 digitalcertificates in a corporate Bring-Your-Own-Device (BYOD) environment isillustrated in accordance with a non-limiting embodiment of the presentdisclosure. A BYOD environment is one in which entities, usuallyemployees, bring their own computing devices (e.g., smartphone, tablet,laptop) to the workplace. Security is a particular concern in BYODenvironments due to the variety of devices an information technology(IT) group may have to support, and the inherent inconsistencyassociated with supporting that number of devices. System 300 may be acorporate BYOD environment with a central server 310 that sends andreceives short-term or one-time-use digital certificates 311. System 300may have other devices within the closed corporate network, includingfor example computer 320 that sends and receives short-term orone-time-use digital certificates 321, and/or a series of servers 332,334, and 336 that send and receive short-term or one-time-use digitalcertificates 331. System 300 may then include the devices brought byemployees to the BYOD network that also send and receive short-term orone-time-use digital certificates. For example, system 300 may includeone or more devices (e.g., smartphones, tablets) 342, 344, and/or 346,each of which sends and receives short-term or one-time-use digitalcertificates 341, 343, and/or 345, respectively.

With reference to FIG. 4, a real-world implementation of a system 400for generating and storing short-term or one-time-use X.509 digitalcertificates in a home Internet of Things (IoT) environment isillustrated in accordance with a non-limiting embodiment of the presentdisclosure. The Internet of Things (IoT) is a network of objects (e.g.,devices, buildings, etc.) that are equipped with network connectivity,sensors, or software so that the objects can communicate with oneanother. For example, a “smart home” may be equipped with many differentsensors or devices that are connected to the Internet, for example in awired or wireless capacity. System 400 may include a smartphone 410 orother device that is connected to one or more other devices in a homeenvironment and can send and receive short-term or one-time-use digitalcertificates 411 with other devices in the home, for example microwave430. Microwave 430 may have Internet connectivity and software thatenables it to send and receive short-term or one-time-use digitalcertificates 431. System 400 may also include refrigerator 420 that hasconnectivity enabling it to send and receive short-term or one-time-usedigital certificates 421. System 400 may also include one or morewashing machines or dryers 452 or 454, respectively, that haveconnectivity and can send or receive short-term or one-time-use digitalcertificates 451. System 400 may also include one or more other devicesor chips 442, 444, or 446 that are embedded into other portions of thehome or building that can send and receive short-term or one-time-usedigital certificates 441, 443, or 445, respectively.

With reference to FIG. 5, a flow chart of a method for generating andstoring short-term X.509 digital certificates is illustrated inaccordance with a non-limiting embodiment of the present disclosure. Amethod 500 for generating and using short-term private keys isdescribed. The method comprises receiving a request from a certificateuser (e.g., certificate user 42, certificate user 44, certificate user46) to utilize a short-term private key-public key pair. The short-termpublic key-private key pair may include a short-term private key, whichmay expire after a period less than a year in length, and a public key.The short-term private key may be used for a period of time specified inthe software or specified by a user. The expiration period may bespecified by a user input, for example via a mouse or keyboard. Theexpiration period may also be specified via a configuration file. Theexpiration period may also be determined by an algorithm in thesoftware. The short-term private key may be used for a set time (e.g., 1day, 1 week, 1 year), or may be used for a set number of times before itexpires and is disposed (e.g., 1 time, 5 times, 10 times). In analternative embodiment, the short-term private key may be re-used anunlimited number of times until it expires. The public key may also beused for a set period of time or may be used for a set number of timesbefore it expires and is disposed. At step 510, the method generates,using processor 13, a short-term private key. The method may alsogenerate a public key using processor 13. The public key may correspondto the short-term private key. At step 520, the method may request a newpublic key or public key certificate from a Certificate Authority (CA).The request for the new public key certificate may include the generatedpublic key and identifying information about the certificate requestor.The CA may verify the authenticity of the certificate requestor, forexample if the certificate requestor signs the request for the publickey certificate, the CA may verify that the signature is valid beforeissuing a public key certificate. The CA thus acts as a trusted thirdparty to verify the identity of the certificate requestor. Afterverifying the signature of the certificate requestor, the CA may signthe public key certificate and return the public key certificate to thecertificate requestor.

At step 530, the certificate requestor may receive a public keycertificate from the CA. The public key certificate may be signed by theCA. At step 540, the method may pair the generated short-term privatekey with the signed public key certificate received from the CA. At step550, the method may store the short-term private key-public key pair tostorage. The method may also include using the short-term privatekey-public key pair. The short-term private key-public key pair can beused for any purpose, for example to secure data. Securing data mayinclude authenticating an entity that intends to send or receive thedata. Securing data may further include signing a document or encryptingdata to be sent over network 30. The short-term private key-public keypair may be used for signing a document, a portion of a document, atransaction, or a portion of the transaction. For example, the methodmay include producing an extensible markup language (XML) document (asecurity assertion markup language (SAML) Assertion) which is sent as apart of a transaction from an Identity Provider to a Service Provider.This XML document may contain a signature that can sign either theentire document or only a portion of the document. As another example,the short-term private key-public key pair may be used to authenticate acertificate user. As yet another example, the short-term privatekey-public key pair may be used to encrypt data or information. After asingle use of the short-term private key-public key pair, the method mayinclude discarding the short-term private key-public key pair. Themethod may further include retrieving the short-term private key-publickey pair that was previously stored to storage from said storage. Themethod may further include determining whether the short-term privatekey-public key pair is invalid. The short-term private key-public keypair may be invalid if either the short-term private key or the publickey—or both—are invalid. Either the short-term private key or the publickey may be invalid if one of the pair are expired, revoked, suspended,or otherwise inactive. For example, if the short-term private key has aset expiration period and that expiration period has passed, it may beexpired and thus invalid. As another example, if the short-term privatekey is set to expire after one use, then after the key has been usedonce, it may be expired and thus invalid. As another example, if thepublic key corresponding to the short-term private key has expired orhas been revoked (e.g., on a certificate revocation list (CRL) or has aninvalid validity period as part of its certificate), then both theshort-term private key and the public key may be invalid. The methodthus may include determining whether the short-term private key-publickey pair has expired. The method may include receiving as input from auser a configuration specifying a length of an expiration period for theshort-term private key. The method may include generating multipleshort-term private key-public key pairs and storing multiple pairs tostorage. The method may include a first short-term private key-publickey pair and a second short-term private key-public key pair beingstored to storage. The method may include any two short-term privatekey-public key pairs being independent from one another. For example,short-term private keys may be stored in high-security storage orlow-security storage without tying the short-term private key to anyother short-term private key. Rather, the short-term private keys may beentirely independent of one another.

With reference to FIG. 6, a flow chart of a method 600 for usingshort-term X.509 digital certificates is illustrated in accordance witha non-limiting embodiment of the present disclosure. At step 610, themethod receives a request from a certificate user to utilize ashort-term private key-public key pair. At step 620, the methodretrieves the short-term private key-public key pair from the storage.At step 630, the method determines whether the short-term privatekey-public key pair has expired. If the short-term private key-publickey pair has expired, then the method discards the short-term privatekey-public key pair at step 640. If the short-term private key-publickey pair has not expired, then the method uses the short-term privatekey-public key pair at step 650. At step 660, after a single use of theshort-term private key-public key, the method discards the short-termprivate key-public key pair. The method may discard the key pairimmediately upon using the key pair or may wait. For example, the methodmay mark the key pair for deletion and wait for a future clean-uproutine to discard the key pair.

With reference to FIG. 7, a system 700 for requesting and usingshort-term X.509 digital certificates is illustrated in accordance witha non-limiting embodiment of the present disclosure. System 700 maycomprise certificate requestor 710, which may request a public keycertificate from Certificate Authority (CA) 720. Certificate requestor710 may receive from certificate user 730 a list of distributionaddresses to whom the public key certificate should be sent. Certificaterequestor 710 may send the list of distribution addresses to CA 720. CA720 may generate a public key certificate and return that public keycertificate to certificate user 730 through certificate requestor 710.CA 720 may also transmit the generated public key certificate to one ormore addresses on the list of distribution addresses. For example, ifpublic key recipients 742, 744, and 746 were each on the list ofdistribution addresses, CA 720 may transmit the generated public keycertificate to public key recipients 742, 744, and 746.

With reference to FIG. 8, a system 800 and a method for requesting andusing short-term X.509 digital certificates is illustrated in accordancewith a non-limiting embodiment of the present disclosure. At step 810, arequest for a new short-term private key-public key pair is received bya certificate requestor 815. At step 820, a certificate signing request(CSR) is generated using processor 13, along with a new short-termprivate key and public key. The short-term private key is temporarilystored unpaired in keystore 870. At step 830, the CSR is sent to theCertificate Authority (CA) 880. CA 880 verifies the identity ofcertificate requestor 815, generates a public key certificate, and signsthe public key certificate. At step 840, the signed public keycertificate is returned from CA 880 to certificate requestor 815.Certificate requestor pairs the signed public key certificate with itscorresponding private key at step 850 and stores the resulting key pairin keystore 870. Either CA 880 or certificate requestor may transmit thesigned public key certificate to a certificate user for deployment atstep 860 and also to secondary recipient 890. The certificate user usesthe signed public key certificate in its deployment environment 895.

With reference to FIG. 9, a flow chart of a method 900 for synchronizedX.509 digital certificate deployment is illustrated in accordance with anon-limiting embodiment of the present disclosure. Method 900 may beperformed at a Certificate Authority (CA) or by another entity. Method900 may include receiving a request for a public key certificate from acertificate requestor. At step 910, method 900 may include receiving alist of a plurality of distribution addresses from a certificaterequestor. Each distribution address may belong to a third party (i.e.,a party other than the certificate requestor). The list of distributionaddresses may include one or multiple distribution addresses. The listof distribution addresses may be received from a certificate user via aconfiguration file or via a user input such as a keyboard or mouse. Thelist of distribution addresses may also be generated by the certificaterequestor. At step 920, method 900 may include verifying an identity ofthe certificate requestor. In response to verifying the identity of thecertificate requestor, at step 930 method 900 may retrieve a public keyfrom the request. At step 940, method 900 may generate the public keycertificate. The public key certificate may include the public keyretrieved from the request. At step 950, method 900 may sign the publickey certificate. All of these steps (e.g., steps 930, 940, and 950) maybe performed in response to verifying the identity of the certificaterequestor or independently. At step 960, method 900 may transmit thesigned public key certificate to both the certificate requestor and theplurality of distribution addresses. Accordingly, method 900 maydistribute the signed public key certificate to each of the addresses onthe original list. The CA may transmit the signed public key certificateto both the original certificate requestor and to the plurality ofdistribution addresses contemporaneously.

The request for the public key certificate may be signed by thecertificate requestor, and the CA may verify the authenticity of thecertificate requestor's signature in order to verify the identity of thecertificate requestor. Method 900 may further include receiving arequest for a second public key certificate from a second certificaterequestor. The request for the second public key certificate may includea public key for the second certificate requestor. Method 900 mayfurther include receiving the public key for the second certificaterequestor from the request for the second public key certificate. Method900 may further include receiving a second list of a plurality ofdistribution addresses from the second certificate requestor. Method 900may also include retrieving the public key for the second certificaterequestor from the request for the second public key certificate. Method900 may further include determining whether the public key for thesecond public key certificate is invalid, and in response to determiningthat the public key for the second certificate requestor is invalid,discarding the public key for the second certificate requestor withoutgenerating a second public key certificate. A public key may beconsidered invalid if it has expired, been revoked (e.g., on acertificate revocation list (CRL)), has been suspended, or has otherwisebecome inactive. Determining whether the public key for the secondcertificate requestor is invalid may include determining whether the keyhas expired or has been revoked. If the public key is not invalid (i.e.,if the public key is active), then method 900 may not discard the publickey and may instead return a signed public key certificate with thepublic key inside. Method 900 may further include receiving a requestfor a second public key certificate from a second certificate requestor.The request for the second public key certificate may include a publickey for the second certificate requestor. Method 900 may further includereceiving a second list of a plurality of distribution addresses fromthe second certificate requestor. Method 900 may include attempting toverify the identity of the second certificate requestor. In response tobeing unable to verify the identity of the second certificate requestor,method 900 may include discarding the public key of the secondcertificate requestor without generating the second public keycertificate. In response to being able to verify the identity of thesecond certificate requestor, method 900 may include generating andtransmitting a second public key certificate to the second certificaterequestor.

With reference to FIG. 10, a system 1000 for storing X.509 digitalcertificates in a queueing environment is illustrated in accordance witha non-limiting embodiment of the present disclosure. System 1000 mayinclude certificate requestor 1020 that requests a public keycertificate from Certificate Authority (CA) 1010. CA 1010 may return apublic key certificate to certificate requestor 1020. Certificaterequestor 1020 may pair the public key certificate with a private key.The private key may be a traditional private key (which may not expirefor 1 to 5 years) or a short-term private key (which expires, forexample, less than a year after being created or may be discarded after,for example, a singular use). Certificate requestor may store theprivate key-public key pairs in one or more certificate queues 1042,1044, and 1046. One or more certificate users 1 through N, or forexample certificate users 1052, 1054, and 1056 may have a correspondingqueue in system 1000. Accordingly, all of the certificates stored forexample in certificate queue 1042 may be allocated for certificate user1052. There may be one or more certificate queues, depicted in FIG. 10as certificate queues for users 1 through N. In another embodiment,certificate queues may not be tied to certificate users and may be usedin accordance with another algorithm. For example certificate queues maybe created dynamically and distributed according to efficiency orstorage requirements of a system. System 1000 may further includecertificate distributor 1030, which may distribute one or more privatekey-public key pairs stored in one of certificate queues 1042, 1044, or1046 to certificate users 1052, 1054, or 1056. For example, ifcertificate user 1 1052 requests a private key-public key pair,certificate distributor 1030 may retrieve the private key-public keypair at the front of certificate queue 1042 and distribute that pair tocertificate user 1.

With reference to FIG. 11, a real-world implementation of the queueingenvironment for storing X.509 digital certificates is illustrated inaccordance with a non-limiting embodiment of the present disclosure. Thequeueing environment may contain any number of queues, for examplequeues 1 through N. The queues may be implemented in any programminglanguage and in any type of storage. In each queue, for example queue1110, a series of private key-public key pairs, for example pair 1120,pair 112, and pair 1124, may be stored. Similarly, key pair 1130, 1132,and 1134 may be stored in queue 1112, and pairs 1140, 1142, and 1144 maybe stored in queue 1114. When a pair is requested, the method mayretrieve a front key pair in a queue, for example private key-public keypair 1120 in queue 1110. The front key pair may have been the oldest keypair stored in the queue. According, the queues may embody a First In,First Out (FIFO) structure. When a new key pair is stored to the queue,the key pair will be stored in the back of the queue, for example as keypair 1124 in queue 1110.

With reference to FIG. 12, a flow chart of a method 1200 for storingX.509 digital certificates in a queueing environment is illustrated inaccordance with a non-limiting embodiment of the present disclosure. Atstep 1210, method 1200 may create a plurality of queues in a storage.For respective queues of a plurality of queues stored in a storage, atstep 1220, method 1200 may generate, using processor 13, a privatekey-public key pair. In other words, at step 1120, method 1200 maygenerate a plurality of private key-public key pairs. The privatekey-public key pairs may include private keys and public keys. Theprivate keys included in the private key-public key pairs may betraditional public keys that do not expire for 1 to 5 years or ashort-term private keys that may expire, for example, before a year ormay be discarded, for example, after a singular use. To generate aprivate key-public key pair, method 1200 may generate, using processor13, a private key and a public key. Method 1200 may request a public keycertificate from a Certificate Authority (CA). The request for thepublic key certificate may include the public key. Method 1200 mayfurther include receiving the public key certificate from the CA andpairing the previously-generated private key with the public keycertificate received from the CA. Each private key-public key pair maybe contained within a digital certificate, for example a X.509 digitalcertificate. The plurality of queues thus may hold a plurality ofdigital certificates that contain the key pairs.

At step 1230, method 1200 may store the generated private key-public keypairs to the plurality of queues. This step may occur for each queueuntil that queue is full, then move on to the next queue. This step mayalso occur for any number or configuration of queues. The queues may befilled in any order. At step 1240, method 1200 receives a request from acertificate user to utilize a private key-public key pair. Thecertificate user may use the private key-public key pair for anypurpose, including to secure data. Securing data may include, forexample, encrypting data or information, signing a document or portionof document, signing a transaction or a portion of a transaction, orauthenticating data, for example by authenticating the identity of auser. At step 1250, method 1200 retrieves a first private key-public keypair from a front of a queue. Method 1200 may further include using thefirst private key-public key pair, for example in the manner describedabove. At step 1260, method 1200 may include transmitting the retrievedprivate key-public key pair to a certificate user and/or using the firstprivate key-public key pair, for example in the manner described above.Method 1200 may further include generating a new private key-public keypair to replace the first private key-public key pair. Method 1200 mayfurther include storing the new private key-public key pair to a back ofa first queue. For example, if certificate user 1 used the front keypair from queue 1, method 1200 may generate a new key pair and place iton the back of queue 1. In this manner, method 1200 keeps the queues ina full or near-full state so that key pair retrieval is fast andefficient.

Method 1200 may further include retrieving a second private key-publickey pair from a front of a second queue of the plurality of queues anddetermining whether a private key of the second private key-public keypair is invalid (e.g., expired). Whether a key pair is consideredinvalid is described in detail above. Method 1200 may further include,in response to determining that the private key of the second privatekey-public key pair is invalid, discarding the second private key-publickey pair and retrieving subsequent private key-public key pairs from thesecond queue until a private key-public key pair that is not invalid isretrieved. Method 1200 may further include retrieving subsequent privatekey-public key pairs from one or more queues of the plurality of queuesif a valid key pair is not found on one queue. Method 1200 may furtherinclude, in response to retrieving the private key-public key pair withthe valid private key, using the private key-public key pair with thevalid private key. If no key pair with a valid private key is found,method 1200 may return an error and/or wait for a private key-public keypair that is valid to be created. Method 1200 thus may further includegenerating a private key-public key pair that is valid and using thatvalid key. Method 1200 may also perform the actions stated above indetermining whether a private key-public key pair with a valid publickey (rather than private key) exists.

Method 1200 may further include discarding the private key-public keypair after a single use of the first private key-public key pair. Method1200 may further include a cleanup mechanism to discover and discardexpired or otherwise invalid private key-public key pairs stored in theplurality of queues. For example, method 1200 may include, at configuredintervals, iterating through each private key-public key pair of theplurality of private key-public pairs stored in the plurality of queues,determining whether each private key-public key pair is invalid, fordiscarding each private key-public key pair that is invalid. For eachinvalid private key-public key pair, method 1200 may include generatinga new private key-public key pair and storing the new private key-publickey pair to the queue from which the invalid private key-public key pairwas discarded. In other words, method 1200 may refill the queues withnew, valid key pairs.

With reference to FIG. 13, a flow chart of a method 1300 forsynchronized X.509 digital certificate deployment is illustrated inaccordance with a non-limiting embodiment of the present disclosure.Synchronized X.509 digital certificate deployment may be implemented atcertificate requestor in addition to at the Certificate Authority, asdescribed above. Method 1300 thus may take place at the certificaterequestor. At step 1310, method 1300 may generate, using processor 13, aprivate key-public key pair. The private key-public key may include aprivate key and a public key. The private key may be of the traditionaltype described above or of the short-term type also described above. Atstep 1320, method 1300 may generate a request for a public keycertificate. The request for the public key certificate may include thepublic key generated above. At step 1330, method 1300 may send therequest for the public key certificate to the Certificate Authority(CA). At step 1340, method 1300 may receive the public key certificatefrom the CA. The public key certificate may be signed by the CA. At step1350, method 1300 may use the public key certificate received from theCA, for example for the uses described above (e.g., securing data,encrypting data, signing documents, portions of documents, ortransactions, or authenticating entities). At step 1360, method 1300 maytransmit the public key certificate received from the CA to a pluralityof distribution addresses. Each of the distribution addresses may belongto a third party. A list of distribution addresses may be provided tothe certificate requestor by a certificate user, for example via aconfiguration file or via user input such as a keyboard or a mouse. Inan alternate embodiment, the list of distribution addresses may begenerated by the certificate requestor. The public key certificate maybe transmitted to the plurality of distribution addressescontemporaneously with receiving the public key certificate from the CA.

Method 1300 may further include signing the request for the public keycertificate before the request is sent to the CA. The CA may verify thesignature of the request before it issues or signs the public keycertificate. The method may further include generating, using processor13, a second private key-public key pair. The second private key-publickey pair may include a second public key and a second private key.Method 1300 may further include generating a request for a second publickey certificate. The request may include the second public key. Method1300 may include sending the request for the public key certificate tothe CA, and receiving an indication from the CA that the CA will notsend the public key certificate. For example, the indication mayindicate that the CA will not send the public key certificate becauseone of the private key or the public key were invalid (e.g., expired),or because the CA could not verify a signature of the certificaterequestor, among other reasons. Method 1300 may further includediscarding the private key-public key pair after receiving theindication that the CA will not send the public key certificate.

The flowchart and block diagrams in the figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousaspects of the present disclosure. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof code, which comprises one or more executable instructions forimplementing the specified logical function(s). It should also be notedthat, in some alternative implementations, the functions noted in theblock may occur out of the order noted in the figures. For example, twoblocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagrams and/or flowchart illustration, andcombinations of blocks in the block diagrams and/or flowchartillustration, can be implemented by special purpose hardware-basedsystems that perform the specified functions or acts, or combinations ofspecial purpose hardware and computer instructions.

The terminology used herein is for the purpose of describing particularaspects only and is not intended to be limiting of the disclosure. Asused herein, the singular forms “a,” “an,” and “the” are intended toinclude the plural forms as well, unless the context clearly indicatesotherwise. It will be further understood that the terms “comprises”and/or “comprising,” when used in this specification, specify thepresence of stated features, integers, steps, operations, elements,and/or components, but do not preclude the presence or addition of oneor more other features, integers, steps, operations, elements,components, and/or groups thereof.

The corresponding structures, materials, acts, and equivalents of anymeans or step plus function elements in the claims below are intended toinclude any disclosed structure, material, or act for performing thefunction in combination with other claimed elements as specificallyclaimed. The description of the present disclosure has been presentedfor purposes of illustration and description, but is not intended to beexhaustive or limited to the disclosure in the form disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of thedisclosure. The aspects of the disclosure herein were chosen anddescribed in order to best explain the principles of the disclosure andthe practical application, and to enable others of ordinary skill in theart to understand the disclosure with various modifications as aresuited to the particular use contemplated.

What is claimed is:
 1. A method, comprising: receiving a request from a certificate user to utilize a short-term private key-public key pair, the short-term private key-public key pair comprising a short-term private key and a public key, wherein the short-term private key expires after a period less than a year in length; receiving a configuration specifying a length of an expiration period for the short-term private key; generating, using a processor, the short-term private key; generating, using the processor, the public key, wherein the public key corresponds to the short-term private key; requesting a public key certificate from a Certificate Authority (CA), wherein the request for the public key certificate comprises the public key; receiving the public key certificate from the CA; pairing the short-term private key with the public key certificate, the public key certificate comprising the public key that corresponds to the short-term private key; storing the short-term private key-public key pair to a storage; and determining whether the short-term private key has expired.
 2. The method of claim 1, further comprising: using the short-term private key-public key pair; and after a single use of the short-term private key-public key pair, discarding the short-term private key-public key pair.
 3. The method of claim 1, further comprising: retrieving the short-term private key-public key pair from the storage; determining whether the short-term private key-public key pair is invalid; and in response to determining that the short-term private key-public key pair is invalid, discarding the short-term private key-public key pair.
 4. The method of claim 1, wherein a first short-term private key-public key pair and a second short-term private key-public key pair are stored to the storage, and wherein the short-term private key of the first short-term private key-public key and the short-term private key of the second short-term private key-public key pair are independent of each other.
 5. The method of claim 1, wherein the short-term private key-public key pair is used to secure data.
 6. The method of claim 5, wherein the short-term private key-public key pair is used to authenticate an entity.
 7. The method of claim 5, wherein the short-term private key-public key pair is used sign a document.
 8. The method of claim 5, wherein the short-term private key-public key pair is used to encrypt data.
 9. A computer configured to access a storage device, the computer comprising: a processor; and a non-transitory computer-readable storage medium storing computer-readable instructions that when executed by the processor cause the computer to perform: in response to receiving a request from a certificate user to utilize a short-term private key-public key pair, generating, using the processor, the short-term private key, the short-term private key-public key pair comprising a short-term private key and a public key, wherein the short-term private key expires after a period less than a year in length; receiving a configuration specifying a length of an expiration period for the short-term private key; generating, using the processor, the public key, wherein the public key corresponds to the short-term private key; requesting a public key certificate from a Certificate Authority (CA), wherein the request for the public key certificate comprises the public key; in response to receiving the public key certificate from the CA, pairing the short-term private key with the public key certificate, the public key certificate comprising the public key that corresponds to the short-term private key; storing the short-term private key-public key pair to a storage; and determining whether the short-term private key has expired.
 10. The computer of claim 9, wherein the computer-readable instructions further cause the computer to perform: using the short-term private key-public key pair; and after a single use of the short-term private key-public key pair, discarding the short-term private key-public key pair.
 11. The computer of claim 9, wherein the computer-readable instructions further cause the computer to perform: retrieving the short-term private key-public key pair from the storage; determining whether the short-term private key-public key pair is invalid; and in response to determining that the short-term private key-public key pair is invalid, discarding the short-term private key-public key pair.
 12. The method of claim 9, wherein a first short-term private key-public key pair and a second short-term private key-public key pair are stored to the storage, and wherein the short-term private key of the first short-term private key-public key and the short-term private key of the second short-term private key-public key pair are independent of each other.
 13. The method of claim 9, wherein the short-term private key-public key pair is used to secure data.
 14. The method of claim 13, wherein the short-term private key-public key pair is used to authenticate an entity.
 15. The method of claim 13, wherein the short-term private key-public key pair is used sign a document.
 16. A non-transitory computer-readable storage medium storing instructions that are executable to cause a system to perform operations comprising: in response to receiving a request from a certificate user to utilize a short-term private key-public key pair, generating, using a processor, the short-term private key, the short-term private key-public key pair comprising a short-term private key and a public key, wherein the short-term private key expires after a period less than a year in length; receiving a configuration specifying a length of an expiration period for the short-term private key; generating, using the processor, the public key, wherein the public key corresponds to the short-term private key; requesting a public key certificate from a Certificate Authority (CA), wherein the request for the public key certificate comprises the public key; in response to receiving the public key certificate from the CA, pairing the short-term private key with the public key certificate, the public key certificate comprising the public key that corresponds to the short-term private key; storing the short-term private key-public key pair to a storage; using the short-term private key-public key pair; after a single use of the short-term private key-public key pair, discarding the short-term private key-public key pair; and determining whether the short-term private key has expired. 